Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

metsvc


  • This topic is locked This topic is locked
22 replies to this topic

#1 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 30 March 2018 - 01:42 AM

I found windows requesting access of metsvc.exe through the firewall a few days ago but had to leave windows locked because I was busy.
I looked up what it was and it seems to be a backdoor.
Things I have done recently were installing some software: Revo Uninstaller Pro(cracked), Vysor and Iobit driver booster(portable).
I think I have not downloaded anything else potentially harmful.
metsvc did not appear right after any of these installations; I was away when it did and internet connection was on.
Another thing I can think of is a relative I live with at the moment that studies programming and which I caught them more than once intruding in my laptop in ways such as portable Kali linux and successfully stealing my passwords and files. Also we are both on the same router with ethernet cables.
I cannot fix the matter with them and I am rather ignorant about IT security and programming.
I am not sure it could be them or not.

IMG_20180327_170614428.jpg

IMG_20180327_171007907.jpg

IMG_20180327_171949888_BURST000_COVER_TO

BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 30 March 2018 - 03:54 PM

Greetings DarUrjakar_Jahkrhan and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I am going to request you uninstall all cracked software or other software for which you do not have a required product key. If you are willing to do that complete the followig after the removal.

===================================================

CKScanner

--------------------
  • Download CKScanner and save it to your Desktop
  • Double click CKScanner
  • Select Search For Files
  • Once completed select Save List to File
  • A ckfiles.txt document will be placed on your Desktop
  • Copy and paste the results of that report in your reply
===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • If your computer is set up for other than English right click on the FRST/FRST64 icon and rename it to also include "english", i.e. FRST64english
  • Right click on the icon and select Run as administrator
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of each report in separate reply windows
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ckfiles report
  • FRST report
  • Addition report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 31 March 2018 - 02:32 AM

I would like to inform you that the firewall request and file of metsvc are still open and unchanged like in the photos I show.
What should I do about them?

#4 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 31 March 2018 - 02:33 AM

CKFILES.TXT


CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.FRLBB0
----- EOF -----

#5 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 31 March 2018 - 02:34 AM

FRST.txt


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by WHITE (administrator) on WHITE-PC (31-03-2018 09:26:46)
Running from C:\Users\WHITE\Desktop
Loaded Profiles: WHITE (Available Profiles: WHITE)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(SMSC) C:\Program Files\SGFX\sgfxmgr.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\BCMWLTRY.EXE
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(SeriousBit) C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(SeriousBit) C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(IDRIX) C:\Program Files\VeraCrypt\VeraCrypt.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
() C:\Program Files\SGFX\SgfxConfig.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(BitTorrent Inc.) C:\Users\WHITE\AppData\Roaming\uTorrent\uTorrent.exe
(BitTorrent Inc.) C:\Users\WHITE\AppData\Roaming\uTorrent\updates\3.5.3_44358\utorrentie.exe
(BitTorrent Inc.) C:\Users\WHITE\AppData\Roaming\uTorrent\updates\3.5.3_44358\utorrentie.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1664000 2012-10-24] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe [7177728 2018-03-16] (Broadcom Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-09-04] (Synaptics Incorporated)
HKLM-x32\...\Run: [SgfxConfig] => C:\Program Files\SGFX\sgfxconfig.exe [2233080 2013-01-11] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-26] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587800 2017-12-19] (Oracle Corporation)
HKLM-x32\...\Run: [FxSound Enhancer] => C:\Program Files (x86)\DFX\dfx.exe [1695224 2018-03-18] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\Run: [NetBalancer] => C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe [1915448 2018-02-05] (SeriousBit)
HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\Run: [VeraCrypt] => C:\Program Files\VeraCrypt\VeraCrypt.exe [5597840 2018-03-17] (IDRIX)
HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
GroupPolicy\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2E1FC222-F2D8-4126-ABFC-2BE0FCB5C82D}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{DB318157-F6A1-46DB-A78E-5C2BC146D3F6}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/ar-eg/?ocid=iehp
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_161\bin\ssv.dll [2018-03-17] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_161\bin\jp2ssv.dll [2018-03-17] (Oracle Corporation)
BHO-x32: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files (x86)\DAP\LinkVerifier.dll [2018-03-18] (Speedbit Ltd.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [daplinkchecker@speedbit.com] - C:\Program Files (x86)\DAP\daplinkchecker
FF Extension: (DAP Link Checker) - C:\Program Files (x86)\DAP\daplinkchecker [2018-03-18] [Legacy] [not signed]
FF Plugin: @java.com/DTPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\dtplugin\npDeployJava1.dll [2018-03-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\plugin2\npjp2.dll [2018-03-17] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-03-16] (Google Inc.)

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default [2018-03-31]
CHR Extension: (Slides) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-03-16]
CHR Extension: (Docs) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2018-03-16]
CHR Extension: (Google Drive) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-03-16]
CHR Extension: (YouTube) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-03-16]
CHR Extension: (Tabs Outliner) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkanocgddhmamlbiijnphhppkpkmkl [2018-03-16]
CHR Extension: (Sheets) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-03-16]
CHR Extension: (Download Accelerator Plus (DAP)) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdcfjdljhbehggjdkdioajnknjcpbjb [2018-03-18]
CHR Extension: (Google Docs Offline) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-03-16]
CHR Extension: (Vysor) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\gidgenkbbabolejbgbpnhbimgjbffefm [2018-03-24]
CHR Extension: (Voice Recorder) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\jehegmanppiacmmpiifhjalpkigpcida [2018-03-16]
CHR Extension: (UltraSurf Security, Privacy & Unblock VPN) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjnbclmflcpookeapghfhapeffmpodij [2018-03-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-03-16]
CHR Extension: (Gmail) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-03-16]
CHR Extension: (Chrome Media Router) - C:\Users\WHITE\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-16]
CHR HKLM-x32\...\Chrome\Extension: [ffdcfjdljhbehggjdkdioajnknjcpbjb] - C:\Program Files (x86)\DAP\DAPChrome\DAPChrome6.crx [2018-03-18]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AESTFilters; C:\Program Files\IDT\WDM\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation) [File not signed]
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2016-06-15] (HP Inc.) [File not signed]
R2 NetBalancerService; C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe [184376 2018-02-05] (SeriousBit)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2016-06-15] (HP Inc.) [File not signed]
S2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [328344 2018-03-09] (Sandboxie Holdings, LLC)
R2 SGFXMgr; C:\Program Files\SGFX\sgfxmgr.exe [8480256 2013-01-10] (SMSC) [File not signed]
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [327680 2012-10-24] (IDT, Inc.) [File not signed]
S2 VeraCryptSystemFavorites; C:\Windows\system32\VeraCrypt.exe [5597840 2018-03-17] (IDRIX)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe [5862400 2018-03-16] (Broadcom Corporation) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 DFX11_1; C:\Windows\System32\drivers\dfx11_1x64.sys [28008 2017-06-19] (Windows ® Win 7 DDK provider)
R3 DFX12; C:\Windows\System32\drivers\dfx12x64.sys [29688 2017-06-19] (Windows ® Win 7 DDK provider)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76200 2018-01-18] ()
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [27552 2018-03-24] (REALiX™)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-03-22] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-03-22] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-03-22] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [92280 2018-03-22] (Malwarebytes)
R1 nbdrv; C:\Windows\System32\DRIVERS\nbdrv.sys [40976 2016-01-15] (SeriousBit)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2018-03-16] ()
S3 Revoflt; C:\Windows\SysWOW64\DRIVERS\revoflt.sys [40240 2016-12-21] (VS Revo Group)
S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [228208 2018-03-09] (Sandboxie Holdings, LLC)
R4 sgfxk; C:\Windows\System32\drivers\sgfxk64.sys [157432 2013-01-14] (SMSC)
R0 sgfxl; C:\Windows\System32\drivers\sgfxl64.sys [18168 2013-01-14] (SMSC)
R0 veracrypt; C:\Windows\System32\drivers\veracrypt.sys [631200 2018-03-17] (IDRIX)
S3 MBAMProtection; system32\DRIVERS\mbam.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-31 09:26 - 2018-03-31 09:27 - 000012595 _____ C:\Users\WHITE\Desktop\FRST.txt
2018-03-31 09:25 - 2018-03-31 09:26 - 000000000 ____D C:\FRST
2018-03-31 07:16 - 2018-03-31 07:16 - 000000127 _____ C:\Users\WHITE\Desktop\ckfiles.txt
2018-03-31 06:49 - 2018-03-31 06:46 - 002403328 ____N (Farbar) C:\Users\WHITE\Desktop\FRST64.exe
2018-03-31 06:49 - 2018-03-31 06:40 - 000468480 ____N () C:\Users\WHITE\Desktop\CKScanner.exe
2018-03-25 07:49 - 2018-03-25 07:49 - 001437308 _____ C:\Users\WHITE\Desktop\0620_s17_qp_61.pdf
2018-03-25 07:49 - 2018-03-25 07:49 - 000913316 _____ C:\Users\WHITE\Desktop\0620_s17_qp_21.pdf
2018-03-25 07:22 - 2018-03-25 07:23 - 016343704 _____ C:\Users\WHITE\Downloads\hp_pcl_5_printer_32bit_5_7_0_16448_driver.zip
2018-03-25 07:21 - 2018-03-25 07:21 - 000000000 ____D C:\Users\Public\Documents\Hewlett-Packard
2018-03-25 07:18 - 2015-08-18 06:14 - 000603376 _____ (HP) C:\Windows\SysWOW64\hpcdmc32.dll
2018-03-25 07:18 - 2015-08-18 06:13 - 000309488 _____ (Hewlett-Packard Company) C:\Windows\system32\hpmlm180.dll
2018-03-25 07:18 - 2015-08-18 06:13 - 000202992 _____ (Hewlett-Packard) C:\Windows\system32\hpmtp180.dll
2018-03-25 07:18 - 2015-08-18 06:12 - 000263920 _____ (Hewlett-Packard) C:\Windows\system32\hpmml180.dll
2018-03-25 07:18 - 2015-08-18 06:12 - 000235760 _____ (Hewlett-Packard) C:\Windows\system32\hpmja180.dll
2018-03-25 07:18 - 2015-08-18 06:11 - 000482032 _____ (Hewlett-Packard Corporation) C:\Windows\system32\hpcpn180.dll
2018-03-25 07:18 - 2015-08-18 06:06 - 000446704 _____ (Hewlett Packard Corporation) C:\Windows\SysWOW64\hpcc3180.dll
2018-03-25 07:15 - 2018-03-25 07:16 - 019786968 _____ C:\Users\WHITE\Downloads\upd-pcl5-x64-6.1.0.20062.exe
2018-03-25 07:06 - 2018-03-25 07:06 - 000000000 ____D C:\Users\WHITE\AppData\Local\ElevatedDiagnostics
2018-03-25 07:00 - 2018-03-25 07:00 - 000000000 _____ C:\Windows\HPMProp.INI
2018-03-25 07:00 - 2017-08-23 11:26 - 000204016 _____ (HP Inc.) C:\Windows\system32\hpmtp210.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000529136 _____ (HP Inc.) C:\Windows\system32\hpcpn210.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000494320 _____ (HP Inc.) C:\Windows\SysWOW64\hpcc3210.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000265128 _____ (HP Inc.) C:\Windows\system32\hpmml210.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000242088 _____ (HP Inc.) C:\Windows\system32\hpmja210.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000229616 _____ (HP Inc.) C:\Windows\system32\hpmpm081.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000178416 _____ (HP Inc.) C:\Windows\system32\hpcjpm.dll
2018-03-25 07:00 - 2017-08-23 11:25 - 000127728 _____ (HP Inc.) C:\Windows\system32\hpmpw081.dll
2018-03-25 07:00 - 2017-08-23 11:24 - 000310696 _____ (HP Inc.) C:\Windows\system32\hpmlm190.dll
2018-03-25 07:00 - 2017-08-23 11:24 - 000195312 _____ (Hewlett-Packard) C:\Windows\system32\hppdcompio.dll
2018-03-25 07:00 - 2017-08-23 11:24 - 000169200 _____ (Hewlett-Packard) C:\Windows\SysWOW64\hppccompio.dll
2018-03-25 07:00 - 2017-08-23 11:24 - 000061352 _____ (Hewlett-Packard) C:\Windows\system32\FxCompChannel_x64.dll
2018-03-25 06:59 - 2018-03-25 07:18 - 000000000 ____D C:\HP Universal Print Driver
2018-03-25 06:56 - 2018-03-25 06:58 - 018600800 _____ C:\Users\WHITE\Downloads\upd-pcl6-x64-6.5.0.22695.exe
2018-03-24 14:44 - 2018-03-24 14:58 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Vysor
2018-03-24 14:44 - 2018-03-24 14:44 - 000002112 _____ C:\Users\WHITE\Desktop\Vysor.lnk
2018-03-24 14:43 - 2018-03-24 14:44 - 000000000 ____D C:\Users\WHITE\AppData\Local\Vysor
2018-03-24 14:39 - 2018-03-24 14:43 - 051567104 _____ (ClockworkMod) C:\Users\WHITE\Downloads\Vysor-win32-ia32.exe
2018-03-24 14:34 - 2018-03-24 14:34 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2018-03-24 13:53 - 2018-03-31 07:14 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\IObit
2018-03-24 13:53 - 2018-03-31 07:14 - 000000000 ____D C:\ProgramData\ProductData
2018-03-24 13:53 - 2018-03-31 07:14 - 000000000 ____D C:\ProgramData\IObit
2018-03-24 13:53 - 2018-03-24 13:53 - 000000000 ____D C:\Windows\IObit
2018-03-24 13:52 - 2018-03-24 13:52 - 000000000 ____D C:\ProgramData\Synaptics
2018-03-24 13:49 - 2018-03-24 13:49 - 000000000 ____D C:\Program Files\Synaptics
2018-03-24 13:42 - 2018-03-31 07:10 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\IObit
2018-03-24 13:42 - 2018-03-24 13:42 - 000027552 _____ (REALiX™) C:\Windows\SysWOW64\Drivers\HWiNFO64A.SYS
2018-03-24 13:23 - 2018-03-24 13:23 - 000000000 ____D C:\Users\WHITE\Downloads\DriverToolkit
2018-03-24 13:21 - 2018-03-24 13:21 - 002449376 _____ (Megaify Software ) C:\Users\WHITE\Downloads\DriverToolkitInstaller.exe
2018-03-24 10:49 - 2018-03-24 10:55 - 060695642 _____ C:\Users\WHITE\Desktop\10000000_399582587100997_5910598276083613696_n.mp4
2018-03-24 10:39 - 2018-03-24 10:43 - 044324155 _____ C:\Users\WHITE\Desktop\10000000_1861643193859254_442515497028681728_n.mp4
2018-03-24 08:17 - 2018-03-24 08:19 - 024120044 _____ C:\Users\WHITE\Downloads\com.sec.android.app.music_16.2.11.2-1621102000_minAPI21(armeabi,armeabi-v7a)(nodpi)_apkmirror.com.apk
2018-03-23 21:19 - 2018-03-23 21:28 - 130049328 _____ (Hewlett-Packard Company ) C:\Users\WHITE\Downloads\sp64284.exe
2018-03-23 16:41 - 2011-11-03 15:49 - 000012800 _____ (Hewlett Packard) C:\Windows\EricssonMobileBroadbandFWVer.dll
2018-03-23 16:27 - 2018-03-25 07:00 - 000000000 ____D C:\ProgramData\Hewlett-Packard
2018-03-23 16:25 - 2013-11-25 09:01 - 000008192 ____N (Ericsson AB) C:\Windows\EricssonMobileBroadbandVer.dll
2018-03-23 16:24 - 2018-03-23 16:27 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\hpqLog
2018-03-23 16:24 - 2018-03-23 16:24 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard
2018-03-23 15:52 - 2018-03-23 15:52 - 000000000 ____D C:\Windows\Options
2018-03-23 15:52 - 2009-12-03 15:29 - 000026624 ____N (LSI Corporation) C:\Windows\SysWOW64\agrscoin.dll
2018-03-23 15:52 - 2009-12-03 15:28 - 000064000 ____N (LSI Corporation) C:\Windows\SysWOW64\agrsmdel.exe
2018-03-23 15:52 - 2009-12-03 15:28 - 000027648 ____N (LSI Corporation) C:\Windows\SysWOW64\agrsco64.dll
2018-03-22 19:14 - 2018-03-23 07:03 - 000005782 _____ C:\Users\WHITE\Desktop\WNetWatcher.cfg
2018-03-22 19:14 - 2018-03-22 19:14 - 000357782 _____ C:\Users\WHITE\Downloads\wnetwatcher.zip
2018-03-22 19:14 - 2018-02-22 09:13 - 000886480 _____ (NirSoft) C:\Users\WHITE\Desktop\WNetWatcher.exe
2018-03-22 18:31 - 2018-03-22 18:31 - 209715200 _____ C:\Users\WHITE\Documents\lost
2018-03-22 08:13 - 2018-03-24 08:07 - 000000000 ____D C:\Users\WHITE\Desktop\New folder (3)
2018-03-22 07:26 - 2018-03-22 17:15 - 000092280 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-03-22 07:26 - 2018-03-22 07:26 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-03-22 07:26 - 2018-03-22 07:26 - 000193248 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-03-22 07:26 - 2018-03-22 07:26 - 000109800 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-03-22 07:25 - 2018-03-22 07:25 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-03-22 07:25 - 2018-03-22 07:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-03-22 07:25 - 2018-03-22 07:25 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-03-22 07:25 - 2018-03-22 07:25 - 000000000 ____D C:\Program Files\Malwarebytes
2018-03-22 07:25 - 2018-01-18 09:03 - 000076200 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-03-22 07:19 - 2018-03-22 07:24 - 070931976 _____ (Malwarebytes ) C:\Users\WHITE\Downloads\mb3-setup-consumer-3.4.4.2398-1.0.322-1.0.4434.exe
2018-03-22 01:40 - 2018-03-09 01:35 - 000545432 ____N C:\Users\WHITE\Desktop\ALT01.mcr
2018-03-22 01:40 - 2018-03-09 01:35 - 000302725 ____N C:\Users\WHITE\Desktop\efweawe.mcr
2018-03-22 01:40 - 2018-03-09 01:35 - 000002178 ____N C:\Users\WHITE\Desktop\details.txt
2018-03-22 01:40 - 2018-03-09 01:35 - 000000674 ____N C:\Users\WHITE\Desktop\macro 3 perfect.mrf
2018-03-22 01:40 - 2018-03-09 01:35 - 000000620 ____N C:\Users\WHITE\Desktop\urjakar.mrf
2018-03-22 00:56 - 2018-03-24 07:29 - 000000000 ____D C:\Users\WHITE\Desktop\New folder (2)
2018-03-22 00:24 - 2018-03-24 12:55 - 000000149 _____ C:\Users\WHITE\Desktop\New Text Document (2).txt
2018-03-22 00:22 - 2018-03-22 00:23 - 000000000 ____D C:\Users\WHITE\Desktop\New folder
2018-03-22 00:11 - 2018-03-22 00:11 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_WinUsb_01009.Wdf
2018-03-21 22:59 - 2018-03-21 22:59 - 000000000 ____D C:\Users\WHITE\.android
2018-03-21 22:55 - 2018-03-24 14:44 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClockworkMod
2018-03-21 22:55 - 2018-03-21 22:55 - 000000000 ____D C:\Program Files (x86)\ClockworkMod
2018-03-21 22:46 - 2018-03-21 22:48 - 018114048 _____ C:\Users\WHITE\Downloads\CarbonSetup.msi
2018-03-18 22:05 - 2018-03-18 22:05 - 000000000 ____D C:\Users\WHITE\AppData\Local\DFX
2018-03-18 22:01 - 2018-03-18 22:07 - 000000000 ____D C:\Program Files (x86)\DFX
2018-03-18 22:01 - 2018-03-18 22:01 - 000001700 _____ C:\Users\Public\Desktop\FxSound Enhancer.lnk
2018-03-18 22:01 - 2018-03-18 22:01 - 000000000 ____D C:\Users\Guest\AppData\Roaming\vlc
2018-03-18 22:01 - 2018-03-18 22:01 - 000000000 ____D C:\Users\Guest
2018-03-18 22:01 - 2018-03-18 22:01 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\vlc
2018-03-18 22:01 - 2018-03-18 22:01 - 000000000 ____D C:\Users\Administrator
2018-03-18 22:01 - 2018-03-18 22:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound Enhancer
2018-03-18 21:50 - 2018-03-18 21:51 - 000000000 ____D C:\Program Files\Revo Uninstaller Pro
2018-03-18 21:50 - 2018-03-18 21:50 - 000000000 ____D C:\Users\WHITE\AppData\Local\VS Revo Group
2018-03-18 21:50 - 2018-03-18 21:50 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-03-18 21:50 - 2018-03-18 21:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2018-03-18 20:52 - 2018-03-18 21:58 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Opera Software
2018-03-18 20:52 - 2018-03-18 21:58 - 000000000 ____D C:\Users\WHITE\AppData\Local\Opera Software
2018-03-18 20:49 - 2018-03-18 20:49 - 001408000 _____ (Opera Software) C:\Users\WHITE\Downloads\OperaSetup.exe
2018-03-18 20:44 - 2018-03-18 20:44 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Adobe
2018-03-18 20:37 - 2018-03-18 21:59 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Mozilla
2018-03-18 20:37 - 2018-03-18 21:59 - 000000000 ____D C:\Users\WHITE\AppData\Local\Mozilla
2018-03-18 20:37 - 2018-03-18 20:47 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\Mozilla
2018-03-18 20:34 - 2018-03-18 20:34 - 000313544 _____ (Mozilla) C:\Users\WHITE\Downloads\Firefox Installer.exe
2018-03-18 20:17 - 2018-03-18 21:58 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-03-18 20:17 - 2018-03-18 20:43 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-03-18 20:17 - 2018-03-18 20:43 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-03-18 20:17 - 2018-03-18 20:17 - 000004474 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2018-03-18 20:15 - 2018-03-18 20:43 - 000000000 ____D C:\Users\WHITE\AppData\Local\Adobe
2018-03-18 16:57 - 2018-03-18 20:13 - 000000436 __RSH C:\Users\WHITE\ntuser.pol
2018-03-18 15:53 - 2018-03-18 15:55 - 001475328 _____ (NCH Software) C:\Users\WHITE\Downloads\kbsetup.exe
2018-03-18 14:08 - 2018-03-18 14:11 - 029711414 _____ C:\Users\WHITE\Downloads\136.html
2018-03-18 13:36 - 2018-03-18 13:36 - 000000282 _____ C:\Windows\system32\VeraCrypt System Favorite Volumes.xml
2018-03-18 13:36 - 2018-03-17 07:02 - 005597840 _____ (IDRIX) C:\Windows\system32\VeraCrypt.exe
2018-03-18 03:28 - 2018-03-18 03:28 - 029711576 _____ C:\Users\WHITE\Desktop\136.rar
2018-03-18 03:07 - 2018-03-18 03:08 - 000302530 _____ C:\Users\WHITE\Downloads\20.pdf
2018-03-18 02:46 - 2018-03-18 02:47 - 000000000 ____D C:\Users\WHITE\Desktop\facebook-100008364304926
2018-03-18 01:52 - 2018-03-18 02:42 - 1894529548 _____ C:\Users\WHITE\Downloads\facebook-100008364304926.zip
2018-03-18 01:03 - 2018-03-18 01:44 - 516586515 _____ C:\Users\WHITE\Downloads\Unconfirmed 965553.crdownload
2018-03-18 01:02 - 2018-03-18 01:02 - 000431336 _____ C:\Users\WHITE\Desktop\test.php
2018-03-18 01:01 - 2018-03-18 01:03 - 000000000 ____D C:\Users\WHITE\Documents\My DAP Downloads
2018-03-18 01:01 - 2018-03-18 01:02 - 000000000 ____D C:\ProgramData\TEMP
2018-03-18 01:01 - 2018-03-18 01:01 - 000172032 _____ (Jin Hui E-mail: jinhui@jcomsoft.com Web: hxxp://www.jcomsoft.com) C:\Windows\SysWOW64\AniGIF.ocx
2018-03-18 01:01 - 2018-03-18 01:01 - 000001045 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Download Accelerator Plus (DAP).lnk
2018-03-18 01:01 - 2018-03-18 01:01 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\SpeedBit
2018-03-18 01:01 - 2018-03-18 01:01 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\SpeedBIT
2018-03-18 01:01 - 2018-03-18 01:01 - 000000000 ____D C:\ProgramData\SpeedBit
2018-03-18 01:01 - 2018-03-18 01:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Download Accelerator Plus (DAP)
2018-03-18 01:01 - 2018-03-18 01:01 - 000000000 ____D C:\Program Files (x86)\DAP
2018-03-18 00:59 - 2018-03-18 01:01 - 010818216 _____ C:\Users\WHITE\Downloads\dap10_full.exe
2018-03-17 21:37 - 2018-03-17 21:37 - 000110144 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2018-03-17 21:37 - 2018-03-17 21:37 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Sun
2018-03-17 21:37 - 2018-03-17 21:37 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\Sun
2018-03-17 21:37 - 2018-03-17 21:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-03-17 21:36 - 2018-03-17 21:37 - 000000000 ____D C:\ProgramData\Oracle
2018-03-17 21:35 - 2018-03-17 21:35 - 000000000 ____D C:\Program Files\Java
2018-03-17 21:18 - 2018-03-17 21:23 - 071328320 _____ (Oracle Corporation) C:\Users\WHITE\Downloads\jre-8u161-windows-x64.exe
2018-03-17 20:19 - 2018-03-17 20:20 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Signal
2018-03-17 20:19 - 2018-03-17 20:19 - 000002405 _____ C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Signal.lnk
2018-03-17 20:19 - 2018-03-17 20:19 - 000002397 _____ C:\Users\WHITE\Desktop\Signal.lnk
2018-03-17 20:17 - 2018-03-17 20:17 - 000000000 ___SD C:\Users\WHITE\AppData\LocalLow\Temp
2018-03-17 20:16 - 2018-03-31 09:27 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\uTorrent
2018-03-17 20:16 - 2018-03-25 07:47 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\uTorrent
2018-03-17 20:16 - 2018-03-17 20:16 - 000000793 _____ C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2018-03-17 20:15 - 2018-03-17 20:15 - 003114288 _____ (BitTorrent Inc.) C:\Users\WHITE\Downloads\uTorrent.exe
2018-03-17 20:09 - 2018-03-25 18:13 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\WhatsApp
2018-03-17 20:09 - 2018-03-17 20:09 - 000002154 _____ C:\Users\WHITE\Desktop\WhatsApp.lnk
2018-03-17 20:09 - 2018-03-17 20:09 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WhatsApp
2018-03-17 20:08 - 2018-03-24 14:44 - 000000000 ____D C:\Users\WHITE\AppData\Local\SquirrelTemp
2018-03-17 20:08 - 2018-03-17 20:09 - 000000000 ____D C:\Users\WHITE\AppData\Local\WhatsApp
2018-03-17 20:05 - 2018-03-17 20:11 - 068818104 _____ (Open Whisper Systems) C:\Users\WHITE\Downloads\signal-desktop-win-1.6.1.exe
2018-03-17 19:55 - 2018-03-17 20:06 - 139492624 _____ (WhatsApp) C:\Users\WHITE\Downloads\WhatsAppSetup.exe
2018-03-17 19:00 - 2018-03-24 12:59 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\vlc
2018-03-17 19:00 - 2018-03-17 19:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2018-03-17 18:59 - 2018-03-17 18:59 - 000000000 ____D C:\Program Files\VideoLAN
2018-03-17 18:56 - 2018-03-17 18:51 - 040159904 ____N C:\Users\WHITE\Downloads\vlc-3.0.1-win64.exe
2018-03-17 18:30 - 2018-03-17 18:35 - 000000000 ____D C:\Users\WHITE\Documents\Bandicam
2018-03-17 18:30 - 2018-03-17 18:30 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Bandicam Company
2018-03-17 18:28 - 2018-03-17 18:28 - 000000992 _____ C:\Users\Public\Desktop\Bandicam.lnk
2018-03-17 18:28 - 2018-03-17 18:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bandicam
2018-03-17 18:28 - 2018-03-17 18:28 - 000000000 ____D C:\Program Files (x86)\BandiMPEG1
2018-03-17 18:28 - 2018-03-17 18:28 - 000000000 ____D C:\Program Files (x86)\Bandicam
2018-03-17 18:28 - 2015-01-02 21:33 - 000071168 _____ C:\Users\WHITE\Desktop\keymaker.exe
2018-03-17 18:24 - 2018-03-09 01:17 - 234187530 ____N C:\Users\WHITE\Desktop\STATIC.avi
2018-03-17 14:25 - 2018-03-17 14:25 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sandboxie
2018-03-17 14:25 - 2018-03-17 14:25 - 000000000 ____D C:\Program Files\Sandboxie
2018-03-17 14:24 - 2018-03-17 14:24 - 005637784 _____ (Sandboxie Holdings, LLC) C:\Users\WHITE\Downloads\SandboxieInstall.exe
2018-03-17 14:04 - 2018-03-17 14:04 - 000001128 _____ C:\Users\WHITE\Desktop\Facebook Gameroom.lnk
2018-03-17 14:04 - 2018-03-17 14:04 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Facebook
2018-03-17 14:04 - 2018-03-17 14:04 - 000000000 ____D C:\Users\WHITE\AppData\Local\Facebook
2018-03-17 14:04 - 2018-03-17 14:04 - 000000000 ____D C:\Users\WHITE\AppData\Local\CEF
2018-03-17 14:00 - 2018-03-17 14:00 - 000260656 _____ (Facebook) C:\Users\WHITE\Downloads\FacebookGameroom.exe
2018-03-17 07:52 - 2018-03-17 07:52 - 001835008 _____ C:\Users\WHITE\Documents\VeraCrypt Rescue Disk.iso
2018-03-17 07:50 - 2018-03-17 07:50 - 000000000 ____D C:\ProgramData\VeraCrypt
2018-03-17 07:42 - 2018-03-17 07:42 - 000000000 _____ C:\Users\WHITE\Desktop\New Text Document.txt
2018-03-17 07:03 - 2018-03-18 13:36 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\VeraCrypt
2018-03-17 07:02 - 2018-03-17 07:02 - 000631200 _____ (IDRIX) C:\Windows\system32\Drivers\veracrypt.sys
2018-03-17 07:02 - 2018-03-17 07:02 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VeraCrypt
2018-03-17 07:02 - 2018-03-17 07:02 - 000000000 ____D C:\Program Files\VeraCrypt
2018-03-17 06:55 - 2018-03-17 06:58 - 029625696 _____ (IDRIX) C:\Users\WHITE\Downloads\VeraCrypt Setup 1.21.exe
2018-03-17 03:37 - 2018-03-16 17:54 - 000000000 ____D C:\Windows\Panther
2018-03-17 02:42 - 2018-03-17 02:42 - 000001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2018-03-17 02:42 - 2018-03-17 02:42 - 000001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2018-03-17 02:40 - 2018-03-17 02:40 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2018-03-16 21:42 - 2018-03-16 21:42 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\SeriousBit
2018-03-16 21:40 - 2018-03-16 21:40 - 000000000 ____D C:\ProgramData\SeriousBit
2018-03-16 21:40 - 2018-03-16 21:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetBalancer
2018-03-16 21:40 - 2018-03-16 21:40 - 000000000 ____D C:\Program Files\NetBalancer
2018-03-16 21:40 - 2016-01-15 08:41 - 000040976 _____ (SeriousBit) C:\Windows\system32\Drivers\nbdrv.sys
2018-03-16 21:32 - 2018-03-16 21:33 - 000031152 _____ C:\Windows\system32\Drivers\pmxdrv.sys
2018-03-16 21:30 - 2018-03-16 21:30 - 007147488 _____ (SeriousBit ) C:\Users\WHITE\Downloads\NetBalancerSetup.exe
2018-03-16 21:30 - 2018-03-16 21:30 - 003645032 _____ C:\Users\WHITE\Downloads\SA00086_Windows.zip
2018-03-16 21:06 - 2018-03-16 21:06 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\WinRAR
2018-03-16 21:03 - 2018-03-16 21:03 - 000000985 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2018-03-16 21:03 - 2018-03-16 21:03 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-16 21:03 - 2018-03-16 21:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-03-16 21:01 - 2018-03-16 21:03 - 000000000 ____D C:\Program Files\WinRAR
2018-03-16 21:01 - 2018-03-16 21:01 - 002211576 _____ C:\Users\WHITE\Downloads\winrar-x64-550.exe
2018-03-16 20:40 - 2018-03-16 20:40 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Intel Corporation
2018-03-16 20:35 - 2018-03-16 20:35 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2018-03-16 20:24 - 2017-04-28 00:50 - 003550208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_47.dll
2018-03-16 20:24 - 2017-04-12 15:05 - 004296704 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_47.dll
2018-03-16 20:22 - 2018-03-16 20:22 - 000758128 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-03-16 20:10 - 2018-03-16 20:10 - 001434504 _____ (Microsoft Corporation) C:\Users\WHITE\Downloads\NDP471-KB4033344-Web.exe
2018-03-16 20:08 - 2018-03-16 20:08 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Google
2018-03-16 20:07 - 2018-03-22 07:32 - 000002224 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-03-16 20:03 - 2018-03-16 20:25 - 000000000 ____D C:\Users\WHITE\AppData\Local\Google
2018-03-16 20:03 - 2018-03-16 20:06 - 000000000 ____D C:\Program Files (x86)\Google
2018-03-16 20:03 - 2018-03-16 20:03 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-03-16 20:03 - 2018-03-16 20:03 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-03-16 20:02 - 2018-03-16 20:03 - 000000000 ____D C:\Users\WHITE\AppData\Local\Deployment
2018-03-16 20:02 - 2018-03-16 20:02 - 000000000 ____D C:\Users\WHITE\AppData\Local\Apps\2.0
2018-03-16 20:00 - 2018-03-16 20:00 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Synaptics
2018-03-16 19:58 - 2018-03-16 19:58 - 000000000 ____H C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Coinstaller_Critical.Wdf
2018-03-16 19:58 - 2018-03-16 19:58 - 000000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_SynTP_01011.Wdf
2018-03-16 19:58 - 2012-07-26 06:55 - 000785512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2018-03-16 19:58 - 2012-07-26 06:55 - 000054376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2018-03-16 19:58 - 2012-07-26 04:36 - 000009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2018-03-16 19:58 - 2012-06-02 16:35 - 000000003 _____ C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2018-03-16 19:52 - 2018-03-16 19:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ViewSpan Config
2018-03-16 19:52 - 2018-03-16 19:52 - 000000000 ____D C:\Program Files\SGFX
2018-03-16 19:51 - 2018-03-16 19:52 - 000000000 ____D C:\Program Files (x86)\HP Port Replicator Software Installer
2018-03-16 19:51 - 2018-03-16 19:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2018-03-16 19:46 - 2018-03-16 19:46 - 000000000 ____D C:\ProgramData\Intel
2018-03-16 19:46 - 2012-05-15 07:13 - 000144896 _____ (Intel Corporation) C:\Windows\system32\IntelOpenCL64.dll
2018-03-16 19:46 - 2012-05-15 07:13 - 000020992 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2018-03-16 19:46 - 2012-05-15 06:20 - 000104448 _____ (Intel Corporation) C:\Windows\SysWOW64\IntelOpenCL32.dll
2018-03-16 19:46 - 2012-05-15 06:20 - 000017920 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2018-03-16 19:45 - 2018-03-16 20:35 - 000000000 ____D C:\Program Files (x86)\Intel
2018-03-16 19:44 - 2018-03-16 19:45 - 000000000 ____D C:\Intel
2018-03-16 19:35 - 2012-11-28 11:17 - 000482128 _____ (Intel Corporation) C:\Windows\system32\Drivers\e1c62x64.sys
2018-03-16 19:35 - 2012-08-09 12:56 - 000101224 _____ (Intel Corporation) C:\Windows\system32\NicInstC.dll
2018-03-16 19:35 - 2012-08-09 08:54 - 000073032 _____ (Intel Corporation) C:\Windows\system32\e1cmsg.dll
2018-03-16 19:35 - 2012-07-25 07:54 - 000538496 _____ (Intel Corporation) C:\Windows\system32\PROUnstl.exe
2018-03-16 19:35 - 2012-01-06 13:02 - 000003114 _____ C:\Windows\system32\e1c62x64.din
2018-03-16 19:35 - 2009-05-26 09:05 - 000036472 _____ (Intel Corporation) C:\Windows\system32\NicCo36.dll
2018-03-16 19:35 - 2006-01-12 14:52 - 000001904 ____N C:\Windows\system32\SetupBD.din
2018-03-16 18:58 - 2018-03-16 18:58 - 000057560 _____ C:\Users\WHITE\AppData\Local\GDIPFONTCACHEV1.DAT
2018-03-16 18:57 - 2018-03-16 18:57 - 000000000 ____D C:\Program Files\Broadcom
2018-03-16 18:57 - 2018-03-16 18:55 - 007930368 _____ (Broadcom Corporation) C:\Windows\system32\BCMWLCPL.CPL
2018-03-16 18:57 - 2018-03-16 18:55 - 004961800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vcredist_x64.exe
2018-03-16 18:57 - 2018-03-16 18:55 - 004747880 _____ (Broadcom Corporation) C:\Windows\system32\Drivers\BCMWL664.SYS
2018-03-16 18:57 - 2018-03-16 18:55 - 004698112 _____ (Broadcom Corporation) C:\Windows\system32\bcmttls.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 003952640 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvsrv64.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 003617792 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvui64.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 003161088 _____ (Microsoft Corporation) C:\Windows\system32\vcredist_x64.exe
2018-03-16 18:57 - 2018-03-16 18:55 - 001058816 _____ (Broadcom Corporation) C:\Windows\system32\BCMLogon.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 000095584 _____ (Broadcom Corporation) C:\Windows\system32\bcmwlcoi.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 000073728 _____ (Broadcom Corporation) C:\Windows\system32\wltrynt.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 000035344 _____ (CACE Technologies, Inc.) C:\Windows\system32\Drivers\npf.sys
2018-03-16 18:57 - 2018-03-16 18:55 - 000022632 _____ (Broadcom Corporation) C:\Windows\system32\Drivers\bcm42rly.sys
2018-03-16 18:57 - 2018-03-16 18:55 - 000006656 _____ C:\Windows\system32\bcmwlrc.dll
2018-03-16 18:57 - 2018-03-16 18:55 - 000000446 _____ C:\Windows\SysWOW64\vcredist_x64.bat
2018-03-16 18:57 - 2018-03-16 18:55 - 000000445 _____ C:\Windows\system32\vcredist_x64.bat
2018-03-16 18:46 - 2018-03-16 18:46 - 000000000 ____D C:\Users\WHITE\Documents\Bluetooth Exchange Folder
2018-03-16 18:46 - 2018-03-16 18:46 - 000000000 ____D C:\Users\WHITE\AppData\Local\Broadcom
2018-03-16 18:45 - 2010-07-20 13:26 - 000135720 _____ (Broadcom Corporation.) C:\Windows\system32\Drivers\btwavdt.sys
2018-03-16 18:45 - 2010-07-20 13:26 - 000102952 _____ (Broadcom Corporation.) C:\Windows\system32\Drivers\btwaudio.sys
2018-03-16 18:45 - 2010-07-20 13:26 - 000021544 _____ (Broadcom Corporation.) C:\Windows\system32\Drivers\btwrchid.sys
2018-03-16 18:45 - 2010-07-14 06:25 - 000344616 _____ (Broadcom Corporation.) C:\Windows\system32\Drivers\btwampfl.sys
2018-03-16 18:45 - 2010-03-02 14:37 - 000039464 _____ (Broadcom Corporation.) C:\Windows\system32\Drivers\btwl2cap.sys
2018-03-16 18:43 - 2018-03-16 18:43 - 000000000 ____D C:\Program Files\WIDCOMM
2018-03-16 18:35 - 2018-03-16 18:35 - 000001646 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SRS Premium Sound.lnk
2018-03-16 18:35 - 2018-03-16 18:35 - 000000000 ____D C:\Windows\system32\SRSLabs
2018-03-16 18:35 - 2012-10-24 22:53 - 008013312 _____ (IDT, Inc.) C:\Windows\system32\IDTNHP.dll
2018-03-16 18:35 - 2012-10-24 22:53 - 008003072 _____ (IDT, Inc.) C:\Windows\system32\IDTNGUI.exe
2018-03-16 18:35 - 2012-10-24 22:53 - 006102016 _____ (IDT, Inc.) C:\Windows\system32\stlang64.dll
2018-03-16 18:35 - 2012-10-24 22:53 - 002216448 _____ (IDT, Inc.) C:\Windows\system32\IDTNX.dll
2018-03-16 18:35 - 2012-10-24 22:53 - 001821184 _____ (IDT, Inc.) C:\Windows\system32\IDTNC64.cpl
2018-03-16 18:35 - 2012-10-24 22:53 - 001664000 _____ (IDT, Inc.) C:\Windows\sttray64.exe
2018-03-16 18:35 - 2012-10-24 22:53 - 000253952 _____ (IDT, Inc.) C:\Windows\system32\IDTNJ.exe
2018-03-16 18:35 - 2012-10-24 22:53 - 000224256 _____ (IDT, Inc.) C:\Windows\system32\HPToneCtrls64.dll
2018-03-16 18:35 - 2012-03-29 22:48 - 000200288 _____ (Andrea Electronics Corporation) C:\Windows\system32\AESTAC64.dll
2018-03-16 18:35 - 2012-03-29 22:48 - 000074336 _____ (Andrea Electronics Corporation) C:\Windows\system32\AESTAR64.dll
2018-03-16 18:35 - 2009-10-10 00:45 - 000442368 _____ (Andrea Electronics Corporation) C:\Windows\system32\AESTEC64.dll
2018-03-16 18:35 - 2009-03-03 01:47 - 000090624 _____ (Andrea Electronics Corporation) C:\Windows\system32\AESTCo64.dll
2018-03-16 18:34 - 2018-03-24 13:48 - 000000000 ____D C:\SwSetup
2018-03-16 18:34 - 2018-03-23 16:41 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2018-03-16 18:34 - 2018-03-16 18:35 - 000000000 ____D C:\Program Files\IDT
2018-03-16 18:34 - 2012-10-24 22:53 - 002189312 _____ (IDT, Inc.) C:\Windows\system32\stapo64.dll
2018-03-16 18:34 - 2012-10-24 22:53 - 000672256 ____N (IDT, Inc.) C:\Windows\system32\stapi64.dll
2018-03-16 18:34 - 2012-10-24 22:53 - 000543744 _____ (IDT, Inc.) C:\Windows\system32\Drivers\stwrt64.sys
2018-03-16 18:34 - 2012-10-24 22:53 - 000499200 _____ (IDT, Inc.) C:\Windows\system32\stcplx64.dll
2018-03-16 18:34 - 2012-10-24 22:53 - 000256000 _____ (IDT, Inc.) C:\Windows\system32\st646433.dll
2018-03-16 18:26 - 2018-03-16 18:26 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2018-03-16 17:55 - 2018-03-16 17:55 - 000001447 _____ C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-03-16 17:55 - 2018-03-16 17:55 - 000001413 _____ C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2018-03-16 17:55 - 2018-03-16 17:55 - 000000000 ____D C:\Users\WHITE\AppData\Local\VirtualStore
2018-03-16 17:54 - 2018-03-22 01:25 - 000000000 ____D C:\Users\WHITE
2018-03-16 17:54 - 2018-03-16 17:54 - 000000020 ___SH C:\Users\WHITE\ntuser.ini
2018-03-16 17:54 - 2010-11-21 09:16 - 000000000 ____D C:\Users\WHITE\AppData\Roaming\Media Center Programs

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-03-31 07:19 - 2009-07-14 06:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-03-31 07:19 - 2009-07-14 06:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-03-27 15:03 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\system32\sysprep
2018-03-25 07:52 - 2009-07-14 07:13 - 000006162 _____ C:\Windows\system32\PerfStringBackup.INI
2018-03-25 07:46 - 2009-07-14 07:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-03-25 07:20 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\inf
2018-03-18 16:56 - 2009-07-14 05:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-03-17 18:36 - 2009-07-14 05:20 - 000000000 __RHD C:\Users\Public\Libraries
2018-03-17 03:37 - 2009-07-14 07:32 - 000028672 _____ C:\Windows\system32\config\BCD-Template
2018-03-17 02:44 - 2009-07-14 06:45 - 000274320 _____ C:\Windows\system32\FNTCACHE.DAT
2018-03-17 02:42 - 2009-07-14 07:32 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2018-03-17 02:39 - 2010-11-21 09:16 - 000000000 ____D C:\Windows\CSC
2018-03-17 00:23 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\rescache
2018-03-16 18:57 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\system32\lv-LV
2018-03-16 18:57 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\system32\lt-LT
2018-03-16 18:57 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\system32\et-EE
2018-03-16 18:57 - 2009-07-14 05:20 - 000000000 ____D C:\Windows\Help
2018-03-16 18:57 - 2009-07-14 05:20 - 000000000 ____D C:\Program Files\Common Files\Microsoft Shared

Some files in TEMP:
====================
2018-03-16 20:50 - 2018-03-16 20:50 - 000059392 _____ (Intel Corporation) C:\Users\WHITE\AppData\Local\Temp\AtpTimerInfo.dll
2017-01-26 09:26 - 2017-01-26 09:26 - 004297200 _____ (Bandicam Company) C:\Users\WHITE\AppData\Local\Temp\bdfilters.dll
2018-03-18 01:01 - 2014-07-20 13:24 - 000105064 _____ () C:\Users\WHITE\AppData\Local\Temp\cabex.dll
2018-03-27 15:03 - 2018-03-27 15:03 - 000073802 _____ (Apache Software Foundation) C:\Users\WHITE\AppData\Local\Temp\fxwjoEuVHOJ.exe
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184918342.dll
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184918383.dll
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184918495.dll
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184939497.dll
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184941219.dll
2018-03-18 20:49 - 2018-03-18 20:49 - 001857024 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318184941561.dll
2018-03-18 20:52 - 2018-03-18 20:52 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318185239863.dll
2018-03-18 20:52 - 2018-03-18 20:52 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318185240930.dll
2018-03-18 21:58 - 2018-03-18 21:58 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318195843091.dll
2018-03-18 21:58 - 2018-03-18 21:58 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318195843107.dll
2018-03-18 21:58 - 2018-03-18 21:58 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318195843497.dll
2018-03-18 21:58 - 2018-03-18 21:58 - 002153984 _____ (Opera Software) C:\Users\WHITE\AppData\Local\Temp\Opera_installer_180318195846461.dll
2018-03-18 01:01 - 2014-07-21 10:23 - 000130712 _____ () C:\Users\WHITE\AppData\Local\Temp\RunWizards.exe
2018-03-18 01:01 - 2013-06-03 08:36 - 000041984 _____ () C:\Users\WHITE\AppData\Local\Temp\SetupUtils6.dll
2018-03-27 14:59 - 2018-03-27 14:59 - 000291840 _____ () C:\Users\WHITE\AppData\Local\Temp\sysret.exe
2018-03-18 01:01 - 2010-06-09 14:43 - 001821192 _____ (Microsoft Corporation) C:\Users\WHITE\AppData\Local\Temp\vcredist_x86.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-03-30 08:18

==================== End of FRST.txt ============================

#6 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 31 March 2018 - 02:35 AM

Addition.txt


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by WHITE (31-03-2018 09:27:19)
Running from C:\Users\WHITE\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2018-03-16 15:54:53)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3304123577-1118726963-4268761665-500 - Administrator - Disabled)
Guest (S-1-5-21-3304123577-1118726963-4268761665-501 - Limited - Disabled)
WHITE (S-1-5-21-3304123577-1118726963-4268761665-1000 - Administrator - Enabled) => C:\Users\WHITE

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\uTorrent) (Version: 3.5.3.44358 - BitTorrent Inc.)
64 Bit HP CIO Components Installer (HKLM\...\{13DA9C7C-EBFB-40D0-94A1-55B42883DF21}) (Version: 21.2.1 - HP Inc.) Hidden
Bandicam (HKLM-x32\...\Bandicam) (Version: 4.0.2.1352 - Bandicam.com)
Bandicam MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version: - Bandicam.com)
Broadcom 2070 Bluetooth 3.0 (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.6300 - Broadcom Corporation)
Broadcom 802.11 Wireless LAN Adapter (HKLM\...\Broadcom 802.11 Wireless LAN Adapter) (Version: 5.100.82.143 - Broadcom Corporation)
Broadcom Wireless Utility (HKLM\...\Broadcom Wireless Utility) (Version: 5.100.82.143 - Broadcom Corporation)
Core Graphics Software (HKLM\...\{259EDF5A-8DF6-4771-A0DA-81F0C846F6E8}) (Version: 5.1.55.8876 - SMSC) Hidden
Download Accelerator Plus (DAP) (HKLM-x32\...\Download Accelerator Plus (DAP)) (Version: 10060 (Build 2599) - Speedbit Ltd.)
Ericsson WWAN Module Firmware Update (HKLM-x32\...\{C7116457-0B69-4EF2-9B67-72BAD7A7D48F}) (Version: 1.00.0000 - Hewlett Packard)
Facebook Gameroom 1.20.6618.42311 (HKLM-x32\...\{CF2C7CB9-1009-4EAA-9033-317F4C4C9DA2}) (Version: 1.20.6618.42311 - Facebook)
FxSound Enhancer (HKLM-x32\...\DFX) (Version: 13.018 - FxSound)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Helium (HKLM-x32\...\{9A781940-AC41-4D5E-8E1E-76A04B916FB9}) (Version: 1.0.0 - ClockworkMod)
HP Port Replicator Software Installer (HKLM-x32\...\{75BF632E-4761-4CF4-A368-E158B8A1BB1C}) (Version: 1.2.18 - HP)
HP Software Framework (HKLM-x32\...\{35D2E477-8524-4294-9D6A-D8481328389F}) (Version: 4.0.80.1 - Hewlett-Packard Company)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6433.0 - IDT)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 17.3 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2963 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.2.1004 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Java 8 Update 161 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180161F0}) (Version: 8.0.1610.12 - Oracle Corporation)
Malwarebytes version 3.4.4.2398 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.4.4.2398 - Malwarebytes)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
NetBalancer (HKLM\...\NetBalancer_is1) (Version: - SeriousBit)
Revo Uninstaller Pro 3.2.0 (HKLM-x32\...\Revo Uninstaller Pro 3.2.0) (Version: - )
Sandboxie 5.24 (64-bit) (HKLM\...\Sandboxie) (Version: 5.24 - Sandboxie Holdings, LLC)
Signal 1.6.1 (only current user) (HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\7d96caee-06e6-597c-9f2f-c7bb2e0948b4) (Version: 1.6.1 - Open Whisper Systems)
SMSC Core Graphics Software (HKLM-x32\...\Core Graphics Software) (Version: 5.1.55.8876 - SMSC)
SMSC LAN9500 Device Driver (HKLM\...\{A74B7E5F-C221-4303-AC85-39A5AFBDABDD}) (Version: 12.12.06.0 - SMSC)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.9 - Synaptics Incorporated)
VeraCrypt (HKLM-x32\...\VeraCrypt) (Version: 1.21 - IDRIX)
ViewSpan (HKLM\...\{33F3FCBA-4CC5-4A5B-A6DB-53478463D991}) (Version: 2.8.3.0 - SMSC)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.1 - VideoLAN)
Vysor (HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\Vysor) (Version: 1.8.3 - ClockworkMod)
WhatsApp (HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\...\WhatsApp) (Version: 0.2.8505 - WhatsApp)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2013-01-16] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-03-03] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {50E542A4-0FB5-45B3-BC12-86EF07374243} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_29_0_0_113_pepper.exe
Task: {730FD966-D54E-4E82-BF9F-3B4460EE02B5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-16] (Google Inc.)
Task: {7E4B479D-8F1A-46D4-B0B5-36B02D0F94C8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-03-16] (Google Inc.)
Task: {EF1E2B9F-5B31-4EB8-9E1C-A8EF58E6DC78} - \Driver Booster SkipUAC (WHITE) -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


ShortcutWithArgument: C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Vysor.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=gidgenkbbabolejbgbpnhbimgjbffefm
ShortcutWithArgument: C:\Users\WHITE\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\cf44704c78be601a\Tabs Outliner.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=eggkanocgddhmamlbiijnphhppkpkmkl

==================== Loaded Modules (Whitelisted) ==============

2018-03-16 21:40 - 2018-02-05 10:42 - 000463360 _____ () C:\Program Files\NetBalancer\nDPI.dll
2013-01-16 15:27 - 2013-01-16 15:27 - 000094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-01-11 19:22 - 2013-01-11 19:22 - 002233080 _____ () C:\Program Files\SGFX\SgfxConfig.exe
2018-03-16 20:35 - 2018-03-16 20:35 - 000169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\f3fe53ec4c0c7aa33e716ad6727579a2\IsdiInterop.ni.dll
2018-03-16 20:35 - 2011-01-12 17:56 - 000058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [141]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VeraCryptSystemFavorites => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VeraCryptSystemFavorites => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\WHITE\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{D369F500-F4F3-4647-8FC2-8DCA257442E5}] => (Allow) C:\Users\WHITE\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BA6951D2-EEA9-402B-AF92-D1654969915E}] => (Allow) C:\Users\WHITE\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{E1774202-06D0-4805-9538-B25A01EEA40F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{05D33204-6BEA-4F29-9802-4C15EF85034D}C:\users\white\appdata\local\vysor\app-1.8.3\vysor.exe] => (Allow) C:\users\white\appdata\local\vysor\app-1.8.3\vysor.exe
FirewallRules: [UDP Query User{9B8EE4ED-16EA-4FEE-9586-92DFD902FD73}C:\users\white\appdata\local\vysor\app-1.8.3\vysor.exe] => (Allow) C:\users\white\appdata\local\vysor\app-1.8.3\vysor.exe
FirewallRules: [TCP Query User{8F14F7C3-905C-47AA-83AB-0184C9797FB5}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe
FirewallRules: [UDP Query User{71CBADDA-6FD0-46E3-B568-AAFA7F9B6213}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe

==================== Restore Points =========================

16-03-2018 18:35:24 Installed IDT Audio
16-03-2018 18:43:21 Installed Bluetooth Software
16-03-2018 19:35:03 Intel® Network Connections
16-03-2018 19:50:56 Installed HP Port Replicator Software Installer
16-03-2018 19:51:45 Installed HP Port Replicator Software Installer
16-03-2018 20:24:37 Windows Update
16-03-2018 21:40:10 System Restore Point created by NetBalancer Setup
16-03-2018 21:40:22 Device Driver Package Install: SeriousBit Network Service
17-03-2018 07:02:08 VeraCrypt installation
18-03-2018 21:57:00 Revo Uninstaller Pro's restore point - Adobe Flash Player 29 NPAPI
18-03-2018 22:02:15 Device Driver Package Install: DFX Sound, video and game controllers
18-03-2018 22:03:15 Device Driver Package Install: DFX Sound, video and game controllers
21-03-2018 22:54:49 Installed Helium
23-03-2018 16:41:27 Installed Ericsson WWAN Module Firmware Update
31-03-2018 07:13:24 Revo Uninstaller Pro's restore point - Driver Booster 4.1

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (03/31/2018 07:13:22 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {dcac0415-554d-410e-a014-56c68d66a06b}

Error: (03/25/2018 07:52:31 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (03/25/2018 07:52:31 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (03/25/2018 07:47:52 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/24/2018 02:37:53 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (03/24/2018 02:37:53 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (03/24/2018 01:57:19 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (03/24/2018 01:57:19 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.


System errors:
=============
Error: (03/27/2018 03:04:12 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the whauwx service to connect.

Error: (03/25/2018 07:46:16 AM) (Source: SbieSvc) (EventID: 9234) (User: )
Description: SBIE9234 Service startup error level 9153 status=C0000428 error=-1073740760

Error: (03/24/2018 01:51:38 PM) (Source: SbieSvc) (EventID: 9234) (User: )
Description: SBIE9234 Service startup error level 9153 status=C0000428 error=-1073740760

Error: (03/24/2018 01:16:08 PM) (Source: SbieSvc) (EventID: 9234) (User: )
Description: SBIE9234 Service startup error level 9153 status=C0000428 error=-1073740760

Error: (03/24/2018 01:04:43 PM) (Source: SbieSvc) (EventID: 9234) (User: )
Description: SBIE9234 Service startup error level 9153 status=C0000428 error=-1073740760

Error: (03/24/2018 12:57:14 PM) (Source: SbieSvc) (EventID: 9234) (User: )
Description: SBIE9234 Service startup error level 9153 status=C0000428 error=-1073740760

Error: (03/23/2018 07:34:02 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (03/23/2018 07:34:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.


CodeIntegrity:
===================================

Date: 2018-03-31 09:27:01.183
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Sandboxie\SbieDrv.sys because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 09:27:01.168
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Sandboxie\SbieDrv.sys because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 09:27:01.152
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Sandboxie\SbieDrv.sys because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 09:27:01.137
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Sandboxie\SbieDrv.sys because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 09:26:26.165
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 07:16:56.737
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 07:16:52.362
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

Date: 2018-03-31 07:16:50.710
Description:
Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\AESTAR64.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel® Core™ i5-2450M CPU @ 2.50GHz
Percentage of memory in use: 21%
Total physical RAM: 8102.32 MB
Available physical RAM: 6381.15 MB
Total Virtual: 16202.85 MB
Available Virtual: 14335.73 MB

==================== Drives ================================

Drive b: () (Fixed) (Total:465.76 GB) (Free:423.35 GB) NTFS
Drive c: () (Fixed) (Total:232.79 GB) (Free:165.1 GB) NTFS

\\?\Volume{6e713fd7-297b-11e8-894f-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: E064C9D1)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 8177A6E3)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 31 March 2018 - 03:49 PM

Greetings.

Thank you for the information. We will address the metsvc.exe entry now, along with some other malicious software.

Do you recognize these?

C:\Users\WHITE\Desktop\ALT01.mcr
C:\Users\WHITE\Desktop\efweawe.mcr
C:\Users\WHITE\Desktop\details.txt
C:\Users\WHITE\Desktop\macro 3 perfect.mrf
C:\Users\WHITE\Desktop\urjakar.mrf


Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have Peer 2 Peer (torrent) program(s) installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Peer 2 Peer programs, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about CryptoLocker Ransomware, a type of Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time (there is no need to paste the information anywhere)
Start::
CreateRestorePoint:
CloseProcesses:
C:\ProgramData\TEMP
2018-03-17 18:28 - 2015-01-02 21:33 - 000071168 _____ C:\Users\WHITE\Desktop\keymaker.exe
2018-03-18 01:01 - 2014-07-21 10:23 - 000130712 _____ () C:\Users\WHITE\AppData\Local\Temp
Task: {EF1E2B9F-5B31-4EB8-9E1C-A8EF58E6DC78} - \Driver Booster SkipUAC (WHITE)
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [141]
FirewallRules: [TCP Query User{8F14F7C3-905C-47AA-83AB-0184C9797FB5}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe
FirewallRules: [UDP Query User{71CBADDA-6FD0-46E3-B568-AAFA7F9B6213}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe
C:\Users\WHITE\AppData\Roaming\IObit
2018-03-24 13:53 - 2018-03-31 07:14 - 000000000 ____D C:\ProgramData\IObit
2018-03-24 13:53 - 2018-03-24 13:53 - 000000000 ____D C:\Windows\IObit
2018-03-24 13:42 - 2018-03-31 07:10 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\IObit
cmd: type "C:\Users\WHITE\Desktop\details.txt"
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Launch FRST
  • Copy/paste the following in the Search: box
SearchAll: *whauwx*
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Malwarebytes AdwCleaner

-------------------
  • Please download AdwCleaner and save it on your desktop.
  • Close all open programs and browsers
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed if there are threats found you will see Found 3 threats or something similar above the progress bar
  • Click each tab under Results and uncheck any items you want to keep
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Click OK twice to finish the removal process by automatically rebooting your computer
  • Once completed an AdwCleaner document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Recognize entries
  • Fixlog
  • Search.txt
  • AdwCleaner report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 01 April 2018 - 12:49 AM

Yes I recognize all of the following:

 

C:\Users\WHITE\Desktop\ALT01.mcr
C:\Users\WHITE\Desktop\efweawe.mcr
C:\Users\WHITE\Desktop\details.txt
C:\Users\WHITE\Desktop\macro 3 perfect.mrf
C:\Users\WHITE\Desktop\urjakar.mrf

 

They are safe macro files created by me.

 

Oh My! please notice that the file C:\Users\WHITE\Desktop\details.txt is safe and created by me.

However, it contains personal information such as emails and passwords that I cannot disclose.

 

Thus, in the Fixlog.txt I will have to remove the contents of details.txt  :unsure: but I assure you it is safe unless you suggest otherwise.



#9 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 01 April 2018 - 12:51 AM

Fixlog.txt

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018

Ran by WHITE (01-04-2018 06:38:56) Run:1
Running from C:\Users\WHITE\Desktop
Loaded Profiles: WHITE (Available Profiles: WHITE)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
C:\ProgramData\TEMP
2018-03-17 18:28 - 2015-01-02 21:33 - 000071168 _____ C:\Users\WHITE\Desktop\keymaker.exe
2018-03-18 01:01 - 2014-07-21 10:23 - 000130712 _____ () C:\Users\WHITE\AppData\Local\Temp
Task: {EF1E2B9F-5B31-4EB8-9E1C-A8EF58E6DC78} - \Driver Booster SkipUAC (WHITE)
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [141]
FirewallRules: [TCP Query User{8F14F7C3-905C-47AA-83AB-0184C9797FB5}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe
FirewallRules: [UDP Query User{71CBADDA-6FD0-46E3-B568-AAFA7F9B6213}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe] => (Block) C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe
C:\Users\WHITE\AppData\Roaming\IObit
2018-03-24 13:53 - 2018-03-31 07:14 - 000000000 ____D C:\ProgramData\IObit
2018-03-24 13:53 - 2018-03-24 13:53 - 000000000 ____D C:\Windows\IObit
2018-03-24 13:42 - 2018-03-31 07:10 - 000000000 ____D C:\Users\WHITE\AppData\LocalLow\IObit
cmd: type "C:\Users\WHITE\Desktop\details.txt"
emptytemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\ProgramData\TEMP => moved successfully
C:\Users\WHITE\Desktop\keymaker.exe => moved successfully
 
"C:\Users\WHITE\AppData\Local\Temp" folder move:
 
Could not move "C:\Users\WHITE\AppData\Local\Temp" => Scheduled to move on reboot.
 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EF1E2B9F-5B31-4EB8-9E1C-A8EF58E6DC78}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF1E2B9F-5B31-4EB8-9E1C-A8EF58E6DC78}" => removed successfully
"C:\ProgramData\TEMP" => ":56E2E879" ADS not found.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8F14F7C3-905C-47AA-83AB-0184C9797FB5}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{71CBADDA-6FD0-46E3-B568-AAFA7F9B6213}C:\users\white\appdata\local\temp\cjzjmoqbc\metsvc.exe" => removed successfully
C:\Users\WHITE\AppData\Roaming\IObit => moved successfully
C:\ProgramData\IObit => moved successfully
C:\Windows\IObit => moved successfully
C:\Users\WHITE\AppData\LocalLow\IObit => moved successfully
 
========= type "C:\Users\WHITE\Desktop\details.txt" =========
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40125370 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 16553037 B
Edge => 0 B
Chrome => 581191274 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83391 B
systemprofile32 => 66228 B
LocalService => 66228 B
NetworkService => 6232 B
WHITE => 355669659 B
 
RecycleBin => 0 B
EmptyTemp: => 955.7 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 01-04-2018 06:41:57)
 
C:\Users\WHITE\AppData\Local\Temp => moved successfully
 
==== End of Fixlog 06:41:57 ====


#10 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 01 April 2018 - 12:52 AM

Search.txt

 

 

Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by WHITE (01-04-2018 07:07:54)
Running from C:\Users\WHITE\Desktop
Boot Mode: Normal
 
================== Search Files: "SearchAll: *whauwx*
" =============
 
File:
========
 
folder:
========
 
Registry:
========
 
 

 

====== End of Search ======


#11 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 01 April 2018 - 12:55 AM

AdwCleaner[C0].txt

 

 

# AdwCleaner 7.0.8.0 - Logfile created on Sun Apr 01 05:27:28 2018
# Updated on 2018/08/02 by Malwarebytes 
# Running on Windows 7 Ultimate (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\Users\WHITE\Downloads\DriverToolkit
Deleted: C:\ProgramData\Speedbit
Deleted: C:\ProgramData\Application Data\Speedbit
Deleted: C:\Users\All Users\Speedbit
Deleted: C:\Users\WHITE\AppData\LocalLow\Speedbit
Deleted: C:\Users\WHITE\AppData\Roaming\Speedbit
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKLM\SOFTWARE\SpeedBit
Deleted: [Key] - HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\Software\SpeedBit
Deleted: [Key] - HKCU\Software\SpeedBit
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
Plugin deleted: Download Accelerator Plus (DAP) - 
 
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [2300 B] - [2018/4/1 5:25:48]
 
 

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


#12 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 01 April 2018 - 12:57 AM

AdwCleaner[S0].txt

 

 

# AdwCleaner 7.0.8.0 - Logfile created on Sun Apr 01 05:25:48 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 2018-03-30.1
# Running on Windows 7 Ultimate (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
PUP.Optional.Legacy, C:\Users\WHITE\Downloads\DriverToolkit
PUP.Optional.Legacy, C:\ProgramData\Speedbit
PUP.Optional.Legacy, C:\ProgramData\Application Data\Speedbit
PUP.Optional.Legacy, C:\Users\All Users\Speedbit
PUP.Optional.Legacy, C:\Users\WHITE\AppData\LocalLow\Speedbit
PUP.Optional.Legacy, C:\Users\WHITE\AppData\Roaming\Speedbit
 
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\SpeedBit
PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-3304123577-1118726963-4268761665-1000\Software\SpeedBit
PUP.Optional.Legacy, [Key] - HKCU\Software\SpeedBit
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
PUP.Optional.Legacy, Plugin found: Download Accelerator Plus (DAP) - 
 
/!\ Please Reset the Chrome Synchronization before cleaning the Chrome Preferences: https://support.google.com/chrome/answer/3097271 
 
 
*************************
 
 
 

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 01 April 2018 - 08:25 AM

Good work. :thumbsup2:

Please update me on the performance of your computer.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 DarUrjakar_Jahkrhan

DarUrjakar_Jahkrhan
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:44 AM

Posted 02 April 2018 - 02:08 AM

I have not noticed anything suspicious anymore, it seems like things are fixed.
Thank you very much for the assistance Oh My!  :)



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:44 AM

Posted 02 April 2018 - 08:05 AM

Great, I would like to run 2 more programs before parting ways.

Please do this.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

Security Analysis by Rocket Grannie

--------------------
  • Please download Security Analysis by Rocket Grannie and save it to your Desktop
  • Right click on the icon and select Run as admnistrator
  • Click OK on the disclaimer and ignore any security warnings that may appear
  • In your reply, please copy and paste the contents of the Notepad document that will appear on your desktop
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Analysis log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users